Allow app_zygote to read zygote_tmpfs.

app_zygote inherits tmpfs files from zygote, and needs to be able to stat them after fork. Bug: 192634726 Bug: 192572973 Bug: 119800099 Test: forrest Ignore-AOSP-First: cherry pick of https://r.android.com/1753279 Change-Id: I6ddf433dbbf4a894fcb6d35c0cb723444d360e47
2021-07-01 22:07:32 +02:00 · 2021-07-01 22:07:32 +02:00 · 67db7e2d88
commit 67db7e2d88
parent ae1b59975a
2 changed files with 6 additions and 0 deletions
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te
@ -41,6 +41,9 @@ selinux_check_context(app_zygote)
 # Check SELinux permissions.
 selinux_check_access(app_zygote)

+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
 ######
 ###### Policy below is shared with regular zygote-spawned apps
 ######
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@ -41,6 +41,9 @@ selinux_check_context(app_zygote)
 # Check SELinux permissions.
 selinux_check_access(app_zygote)

+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
 ######
 ###### Policy below is shared with regular zygote-spawned apps
 ######